P9. Collection of user information from third parties (internet companies)

The company should clearly disclose its practices with regard to user information it collects from third-party websites or apps through technical means.

Elements
  1. Does the company clearly disclose what user information it collects from third-party websites through technical means?
  2. Does the company clearly explain how it collects user information from third parties through technical means?
  3. Does the company clearly disclose its purpose for collecting user information from third parties through technical means?
  4. Does the company clearly disclose how long it retains the user information it collects from third parties through technical means?
  5. Does the company clearly disclose that it respects user-generated signals to opt-out of data collection?
Research guidance

We expect companies to disclose what information about users they collect from third parties, which in this case typically means information collected from third-party websites or apps through technical means, for instance through cookies, plug-ins, or widgets. Company disclosure of these practices helps users understand if and how their activities are being tracked by companies even when they are not on a host company’s website.

One prominent user-generated signal is the “Do Not Track” standard. Also known by the acronym “DNT,” this refers to a setting in a user’s browser preferences which tells entities not to “track” them. In other words, every time a user loads a website, any parties that are involved in delivering the page (of which there are often many, primarily advertisers) are told not to collect or store any information about the user’s visit to the page. However, this is merely a polite request—a company may ignore a DNT request, and many do.

Potential sources:

  • Company privacy policy
  • Company policy on third parties